Top 10 Cybersecurity Misconfigurations and Why They Matter
Late last year, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed the top 10 most common cybersecurity misconfigurations discovered by their teams in the networks of large organizations.
Technical jargon aside, you’re probably asking yourself, “What does this mean and why does it matter?”
In layman’s terms, these are the kinds of weaknesses attackers are exploiting to gain access to networks. So, by knowing what attackers are doing, you can put procedures and software in place to better defend yourself against those attacks. In other words, get more “bang for your IT security buck.”
The top 10 most common cybersecurity misconfigurations discovered include:
- Default configurations of software and applications
- Improper separation of user/administrator privilege
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- Bypass of system access controls
- Weak or misconfigured multifactor authentication (MFA) methods
- Insufficient access control lists (ACLs) on network shares and services
- Poor credential hygiene
- Unrestricted code execution
We’ll break down what each misconfiguration means and why it’s important to defend against.
Default Configurations of Software and Applications
When your organization gets new software or hardware, someone needs to initially set it up. In most cases, the default password is set by the manufacturer and publicly available to simply this process.
It’s often a combination of “admin” for username and “password” for password or other generic terms that can be easily guessed.
If the default credentials are never changed, attackers can abuse this by finding these default credentials with a simple web search and using them to gain unauthorized access to a device of application.
Once inside, they can change the credentials, lock out users and access data.
Improper Separation of User/Administrator Privilege
On a single computer, local administrator access means a user has complete control over their computer so they can install and uninstall software, delete system or network files, add or remove users, and more. Attackers can gain access to these privileged accounts and wreak havoc on a single computer. It gets worse when attackers get access to accounts with privileges beyond a single computer, like across the network, on a server or within critical applications.
You can think of each user having administrator privilege as having a master key to your home. The more master keys there are, the more opportunities an attacker has to steal one of those master keys and gain access to your organization’s network.
Organizations should enforce a least-privilege security model, which means users have just enough permissions to do their jobs and nothing more.
Insufficient Internal Network Monitoring
It’s common for businesses to save money by only monitoring computers and servers (host-based monitoring) and not monitoring the network that connects them. This is like the security staff for a gated community who can detect a break-in at a house but can’t see or stop the intruder as they move through the neighborhood.
For example, suppose an organization utilizes host-based monitoring but no network monitoring. In that case, that organization would be able to identify an infected device, but it would struggle to identify where the infection was coming from and could have a hard time stopping further infections to other devices.
Lack of Network Segmentation
Network segmentation separates portions of the network so that if breached, an attacker doesn’t have access to the entire network.
Basically, it creates multiple “islands” on a network. Any damage an attacker does on that island will be contained on that island, making it much easier to fix and recover from.
Poor Patch Management
Software and hardware vendors regularly release patches to address security vulnerabilities. Poor patch management includes a lack of regular patching and using unsupported operating systems and outdated firmware.
Failure to apply the latest patches can leave a system open to compromise from publicly available exploits. Attackers target these vulnerabilities, hoping your organization doesn’t patch its systems regularly.
Additionally, using software or hardware that is no longer supported poses a significant security risk because new and existing vulnerabilities are no longer patched.
“Enrolling your organization in phishing training will inform your employees of the tactics attackers use and be wary of anybody — even IT staff — asking for personal information.”
Bypass of System Access Controls
There are ways that attackers can trick your systems into thinking the correct password was entered without the attacker ever having actually know your password.
If an attacker can collect password hashes (encoded information used to validate clear-text passwords), they can use those hashes to bypass system access controls and pretend to be someone in your organization.
By mimicking accounts without the clear-text password, they can expand their access without detection.
Weak or Misconfigured Multifactor Authentication Methods
While any sort of multifactor authentication is better than no MFA, some forms are better than others, or your current configuration could be improperly set up.
For example, some organizations may use smart cards or tokens that are required to access accounts. However, the MFA requirements could be configured so the password hashes for accounts never change.
Even though the password isn’t used — because the smart card or token is used instead — there still are password hashes for the account. If the hashes never change, an attacker could use them indefinitely if they ever collected those hashes.
Additionally, attackers have used voice phishing to convince users to provide missing MFA information. Posing as an organization’s IT staff, they convince the user to provide the MFA code over the phone.
Enrolling your organization in phishing training will inform your employees of the tactics attackers use and be wary of anybody — even IT staff — asking for personal information.
Insufficient Access Control Lists on Network Shares and Services
This misconfiguration simply boils down to allowing users within your organization to access folders, files and entire shared drives that they don’t need access to.
For example, any employee who is not part of the HR department should not have access to employee insurance or personal information. They don’t need that access to do their job, so there is no reason for them to have those permissions.
The more people who have access to sensitive information, the easier it is for attackers to collect and exfiltrate the data.
Poor Credential Hygiene
Strong password usage is the easiest way to strengthen your organization’s security measures, especially if you don’t have any MFA enabled. Passwords should be long in length (at least 14 characters) and random (unique and can’t be easily guessed), and you should never use the same password for multiple accounts.
Organizations should provide or allow employees to use password managers, as they allow for random generation of passwords and easy, secure storage of passwords for each account.
The use of password managers will negate the need to store passwords in a spreadsheet or text file, which attackers search in hopes of finding password lists.
Unrestricted Code Execution
Lastly, if unverified programs are allowed to run on devices, attackers can run whatever they want once they gain access.
Attackers often execute code after gaining initial access to obscure their actions and bypass allowlisting, which is when organizations restrict applications and other forms of code by default and only allow those that are known and trusted.
This is a lot of information to digest, and no one expects you as a business leader to implement procedures to cover these misconfigurations in short order.
However, your managed service provider can help you address any vulnerabilities you may have in your network and better protect your organization from cyberattacks or data breaches.
West Michigan IT Services
Looking to protect your company from cybersecurity threats? Contact us here to learn how we can help secure your sensitive data.
Did you like this blog? You can subscribe to our newsletter to receive a weekly email with our latest blog posts.